Cyber Risk: Key Considerations for Boards of Directors During M&A Procedures

Jake Olcott

Jake Olcott

Data breaches are a constant in today’s headlines, but in recent years the risk has been front and centre of some of the most significant M&A deals, writes Jake Olcott. In 2017, Verizon discounted its acquisition price by $350 million when Yahoo belatedly disclosed that it experienced several massive breaches. Then, in November last year, Marriott International publicly disclosed that Starwood’s guest reservation database – containing hundreds of millions of personal records – had been compromised since 2014 prior to the Marriott acquisition.

These incidents – along with countless others – raise critical questions. For example, how should Boards be thinking about cyber risk in the acquisition process? What steps should they take to address this risk prior to an acquisition?

First, Boards must understand that cyber risk can have a significant impact not only on the valuation of a deal, but also on future legal liability associated with the transaction. From a Board’s perspective, the fall-out from the Yahoo breach is significant: multiple securities class action lawsuits, D&O suits and recommendations for Board removal. Arguably, the Board’s responsibility in overseeing cyber risk management has never been more crucial.

Proper due diligence

How can organisations conduct proper due diligence into a potential acquisition target? In some circumstances, there may be a public record of an organisation’s cyber security posture. Organisations may have disclosed security incidents or issues due to their obligations in front of regulators. These disclosures may provide clues and insight for an acquiring organisation about the security posture of the target.

That said, public disclosure is unreliable. Organisations are disincentivised to disclose because it may negatively impact market value. Acquisition targets know that security issues can negatively impact their valuation. In fact, a 2016 survey by Brunswick found that half of all respondents said they would trim their valuation in situations where the target company had been breached whether the breach was discovered before, during or after the merger.

Acquirers will often try to send their cyber security/information security teams to the target in order to gain deeper perspectives on site about the risks and issues that may arise post-acquisition. This is important to properly account for any security ‘fixes’ your organisation will have to implement in order to bring the target up to your standards. However, this too comes with challenges. The tools that are available to an acquirer’s cyber team include questionnaires and penetration tests. Even if the target agrees, these methods are both time-consuming and reflect only a ‘snapshot in time’ view that doesn’t necessarily take any account of historical performance.

Challenges around market transparency

How can these challenges around market transparency be addressed in the real world, then? Investors are finding that Security Ratings can offer significant insight into a target’s cyber security posture and address the information asymmetry challenge. Similar to the way in which a credit rating provides unique insight into the transactional history of a consumer, Security Ratings providers continuously collect data in an automated, non-intrusive fashion in order to generate a data-driven and objective rating of security performance. Broad and deep data sets are available that highlight security performance and Best Practices, giving unique insight into what has – or has not – been managed efficiently over time.

Armed with this data, information security teams can then drill down deeper into the security details of an acquisition. Valuation teams can consider more deeply some of the risks that were previously opaque.

It’s never been more important to consider cyber risk in your investments. The cyber risk that a given company presents has been an often-overlooked element during the M&A process, but it doesn’t need to be that way. Asking the right questions – and acquiring the right data – can go a long way towards reducing the financial risk in a transaction. Board members should never hesitate to raise this issue with management during acquisition meetings.

Jake Olcott is Vice-President of Government Affairs at BitSight

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts